Re: New MITM cert incident - Cyberoam

On Thu, Jul 5, 2012 at 1:19 PM, John Nagle wrote: > On 7/4/2012 7:07 PM, Daniel Veditz wrote: > >> If we implement cert pinning we'll either have to allow that kind of >> business to disable it, or write off our users who work for >> companies with that kind of control freakery. It's more common t

Re: WebAPI meta: permission prompts considered harmful

Suggestion: "Program is attempting to on . If you expected it to, tap here. If not, tap below." Then, if the same permission dialog keeps happening at the same point in the same process, and the user has never said "no", allow the option to save a "just say yes" or "just say no" for that

Re: Fixing SSL quickly (not), or why certs need business identity data.

On Thu, Mar 29, 2012 at 8:38 AM, John Nagle wrote: >>> Anything that takes a credit card should have at least "organization >>> validated". >> Can you actually think of a reason for that? >  Anonymous online businesses are illegal. > >  It's a criminal offense in California to accept a credit card

Waking from the Email Key Management Nightmare

(I mentioned this to mgoodwin in the #security channel on irc.mozilla.org, and he suggested I bring it here.) Waking from the Email Key Management Nightmare (or, Solving the Message Accessibility After Hardware Death Problem) (and, Solving the Key Distribution Problem Without Trent's Directory) C

Re: Policy discussion list that is read-only for the public

On Wed, Jan 11, 2012 at 9:36 AM, Gervase Markham wrote: Mozilla needs a space in between "public" and "security group" (or "employees"). We've needed one for a long time; this is just another manifestation of the issue. So how about representation of the users' interests within the "security

Re: Certificate problem

This sounds like something a bug needs to be filed on. If you have openssl, can you do: openssl s_client -connect 192.168.168.132 -showcerts and send the dump thereof? My instant thought is that there might be an IP address in a subjectAltName entry of type dNSName, or an IP in the Common Name

Re: Security Problem?

Not everything is necessarily the browser's fault. This could be, for example, other malware. (I'm not saying that it is, just suggesting that it may be environment-based.) That said, it's hard to figure out where a security problem is if the only thing that can be seen is what's been left b

Re: Another Protocol Bites The Dust

(replying to a message on dev-security at mozilla, but since this affects OpenSSL more than Mozilla, I'm sending this one directly to openssl-users and bcc:ing dev-security. I hope the spam filter lets it through.) When handled properly (i.e., you don't rely on anything before the renegotiation,

Re: A new false issued certificate by Comdo?

then why not create an internal build of Firefox, embed your own root into it, and issue certificates from that root to the boxes that need it? Oh yeah, because people use computers for more than one purpose. A home machine can be used to VPN into work. Wake up, Mozilla. Your policy is not usef

OCSP responder key/certificate thoughts

[Please follow-up to dev-security-policy -- which is where most things having to do with CA and browser interaction policies are discussed.] I'm trying to figure out how much of the OCSP slowness and server underpowering is due to the sizes of the keys used, or limitations of the HSMs (and drivers

Re: Nonstandard ports and admin override?

On Tue, Aug 26, 2008 at 4:58 PM, Michael Lefevre <[EMAIL PROTECTED]> wrote: > Kyle Hamilton wrote: >> Hi, I'm trying to figure out (for testing purposes only -- I need to >> verify a certificate on a POP3 server) if there's a way to override >> Firefox 3

Nonstandard ports and admin override?

Hi, I'm trying to figure out (for testing purposes only -- I need to verify a certificate on a POP3 server) if there's a way to override Firefox 3's internal port blocking. The port in question is 995, which is POP3/secure. Of course, I'd very much like to understand why this happens: "Port Rest

Re: EV issues with redirects...

I actually did see the EV chrome indicator, but my network latency was fairly high. (If you want to simulate this, try torrenting Ubuntu.) It appeared to be a time-delay thing (based on 'oh hey, we've got an EV-validated connection') as opposed to a content-delay thing (such as "oh hey, this is a

Re: EV issues with redirects...

ed (this is separate from the "SSL to non-SSL" config preference which isn't enabled by default). Thanks, -Kyle H On Thu, Jul 3, 2008 at 9:09 PM, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > Kyle Hamilton wrote, On 2008-07-03 19:51: >> https://www.paypal.com/c